Ransomware attacks have been named by several organisations as one of the biggest cyber threats to businesses, both now and in the near future. It is therefore important that businesses are aware of this type of cyber threat and how it can affect the business.
Definition of ransomware
Ransomware is a type of malware, i.e. malicious software such as viruses or worms, that infects a computer, server or network. Ransomware can be divided into two types; locker ransomware and crypto-ransomware. Locker ransomware does not encrypt data or files, but crypto-ransomware does.
Once ransomware has been installed on a device, such as a computer, the ransomware encrypts or downloads files and then locks the owner out of the systems on the computer. All data thus becomes inaccessible to the owner. The data can be documents, pictures, videos, etc.
The owner, or victim, is then told that they must pay a ransom to regain access to their data.
How do ransomware attacks work?
As ransomware is a type of malware, it must infect a device first. This is typically done through phishing, where a person clicks on a link in a phishing email and is sent to a fake home that starts downloading malware to the device.
It can also be done by a person downloading attachments infected with malware from a phishing email or from fake pop-up advertisements on the internet.
Locker ransomware that does not encrypt will start downloading data and files, and the cybercriminals behind the attack will look for sensitive data or user data. The cybercriminals will then contact the victim and tell them what kind of data they have come into possession of.
They may threaten to publish the data or contact customers or business partners and tell them that the victim is not looking after their users' data. Cyber criminals will demand a ransom for not carrying out their threats.
Crypto-ransomware that encrypts will encrypt all files and data on accessible drives and hard disks on the device. The cybercriminals will then contact the victim and demand a ransom. The ransom will provide the victim with the decryption key to be used to decrypt the files and data.
Often, after a ransomware attack, a lock disclaimer will appear on one of the locked devices, explaining the conditions and how much money the victims have to pay. It will also tell victims how to buy cryptocurrency, typically Bitcoins, to pay with.
In some cases, cyber criminals will give victims a number for a fake hotline where they can get help to buy Bitcoins and transfer money. The cybercriminals will sometimes release individual files to prove that they are able to decrypt the files and data.
Is the ransom payable?
For many years, there was no guarantee that cyber criminals would send a decryption key and unlock a company's systems if it paid the ransom. So the general advice was never to pay the ransom.
This led to a change in the way hackers carried out ransomware attacks. Many companies did not pay the ransom, which removed the source of income for the hackers. As a result, hackers started to provide ransomware as a service (RaaS).
The cybercriminals operate in groups
More and more hackers are working in large groups or networks, and hackers behind ransomware attacks are now selling ransomware as a service. Ransomware as a service is a type of software solution that contains the ransomware itself, which is sold to hackers who do not have the skills to design the ransomware themselves.
Ransomware as a service is therefore provided by hackers who specialise in developing the ransomware and is used to carry out attacks by other hackers.
Hackers can either pay for ransomware as a service through a subscription scheme or through profit-sharing, where they share the profits from the ransom with the hackers from whom they get the ransomware.
Because payment for ransomware as a service via profit sharing depends on companies paying the ransom, the hackers behind ransomware attacks guarantee that companies will get their data back if they pay.
Consequences of a ransomware attack
A business that falls victim to ransomware can suffer a significant financial loss, as business productivity typically comes to a halt during and shortly after the attack.
The company may also lose a lot of data, which can be both business sensitive or personal information. If the hackers release the data and/or contact customers and business partners, this can damage the company's reputation and stakeholders may lose trust in the company.
In very serious cases, companies may risk legal action if stakeholders sue them.
Ransomware stops business productivity, so the first step after an attack is to limit the attack as much as possible. Then the company can either restore files and data from backups that they hopefully have, or pay the ransom.
Police or intelligence services may get involved, but tracking down ransomware hackers requires many resources that often delay the company's recovery to normal operations. In addition, it is very difficult to catch hackers as they have become experts at hiding their tracks.
Examples of known types of ransomware
WannaCry: This type of ransomware exploited a major security hole in the Microsoft Windows operating system, called EternalBlue, to create a worldwide ransomware worm in 2017 that infected over 250,000 systems before a kill switch was triggered.
NotPetya: This form of ransomware is considered to be one of the most malicious in existence. NotPetya was used in a worldwide cyberattack in 2017 that started by infecting systems in Ukraine. NotPetya infects and encrypts the so-called "master boot record" of Microsoft Windows-based systems and exploits the same vulnerability as WannaCry to spread rapidly.
Some classify it as a "wiper", as the damage caused by NotPetya cannot be repaired and the ransomware is designed in such a way that it is almost impossible to recover the affected systems.
It was also NotPetya that hit Maersk in 2017, costing the company between $250 and $300 million dollars.
CryptoLocker: This was one of the first types of ransomware attacks that required cryptocurrency, in the form of Bitcoin, to decrypt users' data.
It was spread via an email attachment, allegedly from FedEx and UPS, in 2013. The attack cost victims around $27 million dollars in total before a decryption tool was released in 2014.
Bad Rabbit: Bad Rabbit works similarly to NotPetya, but is different in that it allows victims to have their files decrypted if the ransom is paid. In most cases, Bad Rabbit was spread via a fake Flash player update.
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.